b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                  While Controls Have Been Implemented to\n                  Address Malware, Continued Attention Is\n                   Needed to Address This Growing Threat\n\n\n\n                                          March 10, 2009\n\n                              Reference Number: 2009-20-045\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n\n Phone Number | 202-622-6500\n Email Address | inquiries@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                                  DEPARTMENT OF THE TREASURY\n                                                        WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                                  March 10, 2009\n\n\n MEMORANDUM FOR CHIEF TECHNOLOGY OFFICER\n\n FROM:                         Michael R. Phillips\n                               Deputy Inspector General for Audit\n\n SUBJECT:                      Final Audit Report \xe2\x80\x93 While Controls Have Been Implemented to\n                               Address Malware, Continued Attention Is Needed to Address This\n                               Growing Threat (Audit # 200820014)\n\n This report presents the results of our review of malware prevention and response controls. The\n overall objective of this review was to determine whether adequate security controls are present\n to prevent and respond to malware attacks. This review was included in the Treasury Inspector\n General for Tax Administration Fiscal Year 2008 Annual Audit Plan and was part of our\n statutory requirements to annually review the adequacy and security of Internal Revenue\n Service (IRS) information technology.\n\n Impact on the Taxpayer\n Malware, also known as malicious code or malicious software, refers to a computer program that\n is inserted into a computer system with the intent of compromising the confidentiality, integrity,\n or availability of an organization\xe2\x80\x99s data, applications, or operating systems. The IRS\xe2\x80\x99 preventive\n and response controls to address malware are generally effective, but continued attention should\n be given to 1) limiting some practices that increase the risk of a malware incident1 and\n 2) increasing employees\xe2\x80\x99 awareness of their responsibilities for preventing a malware incident.\n Without ongoing attention in these areas, IRS computers and the sensitive taxpayer data stored\n on them are at risk of compromise that could ultimately result in theft of taxpayer identities and\n fraud.\n\n\n\n\n 1\n  A successful malware incident is one in which the code successfully installs itself on the target computer and can\n begin executing to accomplish its intended objective.\n\x0c                     While Controls Have Been Implemented to Address Malware,\n                    Continued Attention Is Needed to Address This Growing Threat\n\n\n\n\nSynopsis\nMalware is a threat that affects all computer system users and is an evolving challenge that is\ndifficult to combat because new malware is written faster than ever before. Malware can be\nwritten to disrupt computer system operations, commit identity theft and credit card fraud, and\nmonitor user activity. During Calendar Year 2008, the IRS responded to 961 malware incidents,\nan increase of 45 percent over the prior year.\nThe Computer Security Incident Response Center (CSIRC) is responsible for providing the IRS\nwith a team of capable \xe2\x80\x9cfirst responders\xe2\x80\x9d organized, trained, and equipped to identify, contain,\nand eradicate cyber threats targeting IRS computing assets. We determined that the CSIRC\xe2\x80\x99s\nresponses to malware incidents were timely and thorough.\nTo prevent the introduction of malware, the IRS must provide current antivirus software for all\nworkstations and servers, take actions to limit risky practices, and provide regular employee\nawareness training. Workstations are automatically scanned weekly. However, only 89 percent\nof IRS servers were scanned weekly. The remaining servers were scanned less frequently or not\nat all. The introduction of malware on servers is particularly risky because many users access\nthem, making the spread of the malware to other computer systems more likely.\nThe IRS had adequately implemented many of the enhanced controls outlined in a\nDecember 2007 Department of the Treasury memorandum2 to block known malicious sites and\nprohibit administrator accounts from receiving email from accounts outside of the Department.\nThe IRS is also adequately preventing access to online email accounts outside of the Department\nfor all user accounts, in compliance with its own policy.\nThe Department of the Treasury memorandum also prohibits administrators from using their\nadministrator accounts to access the Internet unless authorized in writing by the Bureau Chief\nInformation Officer or his or her designee. The Internet is a primary source for malware\ninfections, and administrator accounts are particularly attractive to persons wanting to cause\nharm to the IRS because the accounts have powerful privileges such as adding users and\nmodifying configurations. If these accounts were infected with malware, unauthorized persons\ncould obtain the same privileges and do malicious damage to the IRS computer network. We\nidentified 63 administrator accounts that had successfully accessed Internet web sites a total of\n820 times in a 1-week period. None of these accounts were authorized to access the Internet by\nthe IRS Chief Information Officer. Non-administrator accounts could have been used to\naccomplish the same purposes without increasing the risk of a malware infection.\nOur review of malware incidents reported in Calendar Year 2007 showed that the incidents were\ncaused by IRS employees engaging in activities that increase the risk of malware infection, such\n\n\n2\n    Department of the Treasury memorandum \xe2\x80\x9cEnhanced Cyber Security Controls,\xe2\x80\x9d dated December 20, 2007.\n                                                                                                         2\n\x0c                 While Controls Have Been Implemented to Address Malware,\n                Continued Attention Is Needed to Address This Growing Threat\n\n\n\nas using removable storage devices, downloading software, and opening attachments or links in\nemail. The CSIRC does not routinely contact users when their authorized system activity results\nin a successful malware incident or when the incident is caused by a violation of IRS policy. We\nbelieve that informing users of their specific activities that resulted in malware infections would\nserve to supplement and personalize the mandatory annual security training provided to\nemployees and better educate users about the malware threat. In addition, while the mandatory\nannual security training for IRS employees and contractors includes common ways in which\nusers can infect systems with malware, it does not include a thorough list of the actions that have\nled to malware infections on IRS systems.\n\nRecommendations\nWe recommended that the Chief Information Officer 1) schedule automatic scans of antivirus\nsoftware on servers, 2) regularly remind administrators not to use their administrator accounts to\naccess the Internet and monitor Internet activity to determine whether administrators are\ncomplying with this control, 3) notify employees and their managers when their activity results\nin a successful malicious code incident, particularly when the activity is a violation of IRS\npolicy, and 4) update the IRS security awareness training to include the use of portable and\nremovable media among the common ways in which users can introduce malicious code to the\nnetwork and the potential effects.\n\nResponse\nIRS management agreed with our recommendations and will schedule automated antivirus scans\non servers, use the Symantec\xe2\x84\xa2 Antivirus console to regularly monitor servers to ensure that\nantivirus scans are executed weekly, and ensure that administrators are regularly reminded of\nInternet access restrictions. The CSIRC will continually monitor the enterprise content filtering\nsolution for Internet access by administrator accounts, regularly report violations of Internet\naccess by administrators to the Cybersecurity Operations organization and IRS Security Offices\nfor followup actions, and ensure that employees and their managers are notified regarding\napplicable incidents. Finally, the IRS will use the security awareness training course mandated\nby the Department of the Treasury that addresses the proper use of portable and removable\nmedia. Management\xe2\x80\x99s complete response to the draft report is included as Appendix IV.\nCopies of this report are also being sent to the IRS managers affected by the report\nrecommendations. Please contact me at (202) 622-6510 if you have questions or\nMargaret E. Begg, Acting Assistant Inspector General for Audit (Security and Information\nTechnology Services), at (202) 622-8510.\n\n\n\n\n                                                                                                  3\n\x0c                       While Controls Have Been Implemented to Address Malware,\n                      Continued Attention Is Needed to Address This Growing Threat\n\n\n\n\n                                            Table of Contents\n\nBackground ..........................................................................................................Page 1\n\nResults of Review ...............................................................................................Page 3\n          The Internal Revenue Service Responded Appropriately When\n          Malware Was Detected .................................................................................Page 3\n          Controls to Prevent the Introduction of Malware Can Be Improved............Page 3\n                    Recommendations 1 through 4:...........................................Page 7\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................Page 9\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................Page 12\n          Appendix III \xe2\x80\x93 Report Distribution List .......................................................Page 13\n          Appendix IV \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ......................Page 14\n\x0c           While Controls Have Been Implemented to Address Malware,\n          Continued Attention Is Needed to Address This Growing Threat\n\n\n\n\n                         Abbreviations\n\nCSIRC              Computer Security Incident Response Center\nIRS                Internal Revenue Service\nUS-CERT            United States Computer Emergency Readiness Team\n\x0c                      While Controls Have Been Implemented to Address Malware,\n                     Continued Attention Is Needed to Address This Growing Threat\n\n\n\n\n                                             Background\n\nMalware, also known as malicious code or malicious software, refers to a computer program that\nis inserted into a computer system with the intent of compromising the confidentiality, integrity,\nor availability of an organization\xe2\x80\x99s data, applications, or operating systems. Malware can infect\ncomputers in a variety of ways. For example, viruses are self-replicating programs that are often\ninserted into computer software or data files through user interaction, such as opening a file or\nrunning a program. In contrast, trojan horses are self-contained, non-replicating programs that\nappear to be legitimate programs but that have been replaced or inserted with hidden malicious\ncode. Malware is delivered through commonly used applications and devices, such as email, the\nInternet, and portable media devices.\nMalware is a threat that affects all computer system users and is an evolving challenge that is\ndifficult to combat because new malware is written faster than ever before. A recent report by\nF-Secure\xc2\xae notes that as much malware was produced in 2007 as was produced in the previous\n20 years combined, based on its detections.1 Similarly, Symantec\xe2\x84\xa2 reports that, based on its\nresearch, there are indications that the rate of malware creation might be exceeding that of\nlegitimate software applications.2 Malware is also difficult to combat because it is delivered\nthrough basic, mission-critical applications such as web browsers and email. For example, in\nAugust 2008, emails claiming to be CNN or MSNBC news alerts were sent to millions of email\naccounts in an attempt to lure victims into downloading malware from compromised web sites.\nMalware can be written to disrupt computer system operations, commit identity theft and credit\ncard fraud, and monitor user activity. However, not all malware is driven by financial motives.\nIn 2006, hackers stole data from the United States Department of State computer network after a\nDepartment of State employee in Asia opened an email that allowed the hackers to break into the\nFederal Government\xe2\x80\x99s computer system. The incident caused all of the Department of State\xe2\x80\x99s\nInternet connections throughout eastern Asia to be severed.\nWithin the Internal Revenue Service (IRS), the Computer Security Incident Response Center\n(CSIRC) responds to malicious code incidents. The CSIRC is responsible for providing the IRS\nwith a team of capable \xe2\x80\x9cfirst responders\xe2\x80\x9d organized, trained, and equipped to identify, contain,\nand eradicate cyber threats targeting IRS computing assets.\nThe IRS CSIRC also shares information regarding malicious web sites it identifies with other\nFederal Government entities via the Government Forum of Incident Response and Security\nTeams to enable them to proactively restrict access before they are victimized. From April 1 to\n\n\n1\n    F-Secure\xc2\xae Data Security Wrap-Up 2007.\n2\n    Symantec\xe2\x84\xa2 Internet Security Threat Report, Trends for July\xe2\x80\x93December 2007, Volume XII, published April 2008.\n                                                                                                        Page 1\n\x0c                 While Controls Have Been Implemented to Address Malware,\n                Continued Attention Is Needed to Address This Growing Threat\n\n\n\nJune 30, 2008, the Federal Government entities comprising the Government Forum of Incident\nResponse and Security Teams blocked 1,228 malicious web sites. The CSIRC provided the\ninitial intelligence on 461 (38 percent) of these web sites.\nBased on incident data obtained from the CSIRC, the number of malware incidents within the\nIRS continues to rise each year, as does the IRS\xe2\x80\x99 success in preventing malware infection.\nDuring Calendar Year 2008, the IRS responded to 961 malware incidents, an increase of\n45 percent over the prior year.\nTo address the malware threat, organizations must implement controls to prevent, detect, and\nrespond to malware. This review focused on the IRS\xe2\x80\x99 efforts in preventing and responding to\nmalware. An evaluation of IRS malware detection controls could be included in a subsequent\naudit.\nThis review was performed at the IRS National Headquarters in Washington, D.C., in the Office\nof Cybersecurity during the period October 2007 through September 2008. We conducted this\nperformance audit in accordance with generally accepted government auditing standards. Those\nstandards require that we plan and perform the audit to obtain sufficient, appropriate evidence to\nprovide a reasonable basis for our findings and conclusions based on our audit objective. We\nbelieve that the evidence obtained provides a reasonable basis for our findings and conclusions\nbased on our audit objective. Detailed information on our audit objective, scope, and\nmethodology is presented in Appendix I. Major contributors to the report are listed in\nAppendix II.\n\n\n\n\n                                                                                            Page 2\n\x0c                 While Controls Have Been Implemented to Address Malware,\n                Continued Attention Is Needed to Address This Growing Threat\n\n\n\n\n                                 Results of Review\n\nThe Internal Revenue Service Responded Appropriately When\nMalware Was Detected\nResponding to security incidents is one of the CSIRC\xe2\x80\x99s primary responsibilities. CSIRC analysts\nactively monitor a wide variety of sources such as intrusion detection systems, firewalls, and\naudit logs to identify potential malicious code incidents. During Calendar Year 2007, the CSIRC\nidentified and responded to 661 malicious code incidents. Once an incident was identified,\nCSIRC analysts conducted a thorough analysis to determine the source, nature, and purpose of\nthe malicious code. The analysts expeditiously coordinated with the Modernization and\nInformation Technology Services organization and provided instructions for containing and\neradicating the malware to protect IRS systems and data from further infection. When possible,\nthe analysts also took appropriate steps to prevent future infections by blocking malware-infected\nInternet sites. The CSIRC\xe2\x80\x99s responses to the incidents we reviewed were timely and thorough.\n\nControls to Prevent the Introduction of Malware Can Be Improved\nWithout sufficient controls to prevent the introduction of malware, IRS computers and the\nsensitive taxpayer data stored on them are at risk of compromise that could ultimately result in\ntheft of taxpayer identities and fraud. To prevent the introduction of malware, large\norganizations like the IRS must provide current antivirus software for all workstations and\nservers, take actions to limit risky practices, and provide regular employee awareness training.\n\nAlthough the IRS effectively implemented antivirus controls for workstations,\ncontrols for servers can be improved\nWhile there are numerous ways to help prevent malware from infecting computers, often the last\nline of defense is antivirus software, which the IRS requires to be installed on all of its computers\nrunning the Windows operating system. The IRS also requires antivirus scans to be performed at\nleast weekly.\nThe IRS\xe2\x80\x99 antivirus implementation was generally adequate. The IRS has an adequate process in\nplace to ensure that antivirus software is installed on its workstations and servers. For\nworkstations, which include desktop and laptop computers, virus scans are scheduled to run\nweekly. If a computer is not on the network when the scan is conducted, the scan begins once\nthe computer logs on to the network. The IRS is updating its computers with new virus\n\n\n\n                                                                                              Page 3\n\x0c                    While Controls Have Been Implemented to Address Malware,\n                   Continued Attention Is Needed to Address This Growing Threat\n\n\n\nsignatures3 in a timely manner, with 96 percent of IRS workstations updated within 2 business\ndays and almost 100 percent updated within 1 week of a new signature being identified.\nFor servers, virus scans are not automated and must be manually initiated by the system\nadministrators. Our analysis of antivirus scans conducted over an 8-week period from May 1 to\nJune 30, 2008, determined that 89 percent of the servers were usually scanned weekly. The\nremaining servers were scanned less frequently or not at all because the system administrators\ndid not always carry out this responsibility. The introduction of malware on servers is\nparticularly risky because many users access them, making the spread of the malware to other\ncomputer systems more likely.\n\nAttention is needed to ensure that administrator account access to the Internet is\neliminated\nAntivirus software alone is not sufficient to combat the evolving malware threat. In\nDecember 2007, the Department of the Treasury issued a memorandum4 requiring enhanced\nsecurity controls aimed at preventing practices that increase the risk of introducing malware.\nThese enhanced controls include restrictions on use of administrator accounts5 and blocking\nknown malicious web sites.\nThe IRS has implemented many of the enhanced controls required by the Department of the\nTreasury. It has adequately implemented controls to block known malicious sites following\nUnited States Computer Emergency Readiness Team (US-CERT)6 or Departmental notification\nof such sites. It is also adequately preventing access to online email accounts outside of the\nDepartment of the Treasury for all user accounts, in compliance with its own policy.\nThe Department of the Treasury memorandum also prohibits administrators from using their\nadministrator accounts to receive email from accounts outside of the Department and from\naccessing the Internet unless authorized in writing by the Bureau Chief Information Officer or\nhis or her designee. The Internet is a primary source for malware infections. To limit the risk of\nmalware infection, system administrators should be assigned two types of accounts. One\naccount should have the same privileges as those on the accounts for most other employees. The\n\n\n\n3\n  A virus signature is the binary pattern of the machine code of a particular virus. Antivirus programs compare their\ndatabases of virus signatures with the files on the hard disk and removable media to identify a virus. The antivirus\nvendor updates the signatures frequently and makes them available to customers via the Internet.\n4\n  Department of the Treasury memorandum \xe2\x80\x9cEnhanced Cyber Security Controls,\xe2\x80\x9d dated December 20, 2007.\n5\n  An administrator account is a user account present on several popular network operating systems that has the\nhighest level of control over a system and/or network. This account might have the ability to install hardware and\nsoftware on the system; add, modify, or delete user accounts; and modify a system\xe2\x80\x99s security features.\n6\n  The US-CERT is a partnership between the Department of Homeland Security and the public and private sectors.\nEstablished in 2003 to protect the nation\xe2\x80\x99s Internet infrastructure, the US-CERT coordinates defense against and\nresponses to cyber attacks across the nation.\n                                                                                                             Page 4\n\x0c                    While Controls Have Been Implemented to Address Malware,\n                   Continued Attention Is Needed to Address This Growing Threat\n\n\n\nother account should be used to carry out administrator responsibilities and should not be used\nfor email or Internet access.\nAdministrator accounts are particularly attractive to persons wanting to cause harm to the IRS\nbecause the accounts have powerful privileges such as adding users and modifying\nconfigurations. If these accounts were infected with malware, unauthorized persons could obtain\nthe same privileges and do significant damage to the IRS computer network. For IRS systems,\nmalware can be used to steal taxpayer data, spy on IRS employee activities to gain access to IRS\napplications, and disrupt IRS computer operations.\nThe IRS is adequately preventing administrator accounts from receiving email from outside of\nthe Department of the Treasury and has established procedures for assigning two accounts to\nadministrators. However, in a 1-week period in February 2008, we identified 63 administrator\naccounts that successfully accessed Internet web sites a total of 820 times. These accesses\nappeared to be appropriate, with most accesses made to work-related sites. However, the\nadministrator accounts were not authorized to access the Internet by the IRS Chief Information\nOfficer. Non-administrator accounts could have been used to accomplish the same purposes\nwithout increasing the risk of a malware infection.\nAlthough we found relatively few accesses by administrators, the scope of our review was\nlimited to only a 1-week period. The IRS did not conduct sufficient monitoring to identify\nadministrator accounts being used to access the Internet. As a result, we do not have assurance\nthat accesses by administrator accounts are sufficiently controlled to prevent compromise by\nmalware-infected sites.\n\nIncreased employee awareness of common causes of malware infections is\nneeded\nBecause security products alone cannot protect systems from the threat of malware, employee\nawareness training is critical. If users are not sufficiently informed of the threats associated with\ntheir activities, they will likely continue to introduce malicious code into the IRS network.\nOur review showed that the malware incidents reported in Calendar Year 2007 were caused by\nactivities that increase the risk of malware infection, such as using removable storage devices,\ndownloading software, and opening attachments or links in email. Of the 661 incidents reported\nin Calendar Year 2007, 311 were successful.7 Of these, 216 (69 percent) were caused by\naccesses to the Internet. Most of the accesses were to authorized Internet sites. However, users\nwere inadvertently redirected to malicious web sites.\n\n\n\n\n7\n A successful malware incident is one in which the code successfully installs itself on the target computer and can\nbegin executing to accomplish its intended objective.\n                                                                                                             Page 5\n\x0c                    While Controls Have Been Implemented to Address Malware,\n                   Continued Attention Is Needed to Address This Growing Threat\n\n\n\nAs a result of these actions, the CSIRC found systems infected with malware in the form of\nviruses, worms, trojans, and spyware.8 CSIRC analysts noted in their reviews of malware\nincidents that these types of malware have the potential to corrupt the integrity of the data, affect\nthe availability of resources, disclose sensitive data, or further propagate throughout the\nenterprise.\nThe CSIRC does not routinely contact users when their authorized system activity results in a\nsuccessful malware incident. Users are contacted when their use of removable media results in a\nmalicious code infection, but they are not contacted for other common causes of malware. We\nbelieve that notifying users and informing them of their specific activities that resulted in\nmalware infections would serve to supplement and personalize the mandatory annual security\ntraining and better educate users about the malware threat. Notification would make users more\naware of the risks of Internet use and raise awareness that their Internet use can affect the\nperformance of their responsibilities by disabling their computer system and possibly other\nsystems on the IRS network.\nThe CSIRC does not have standard operating procedures to address malware incidents when they\nare caused by user policy violations. The CSIRC responses address the malicious code but do\nnot always address the policy violation that caused the malicious code. As a result, policy\nviolations that can lead to malware infections are inconsistently handled. The policy violations\nwe identified included using personal portable hard drives, downloading unauthorized software,\nand accessing unauthorized Internet sites. For some incidents caused by using personal portable\nhard drives, the CSIRC ensured that the user was contacted and counseled about IRS policy.\nHowever, we identified 23 successful and unsuccessful malicious code incidents caused by users\nviolating IRS information technology resources and security policies that were closed without\nthe users being contacted or counseled about their actions. We believe that the CSIRC has a\nresponsibility to notify employees and their managers when their actions violate IRS policies.\nIRS employees and contractors are required to annually certify that they have completed the IRS\nInformation Protection Mandatory Briefing, which includes security awareness refresher\ntraining. The mandatory annual security training for IRS employees and contractors covers\ncommon ways in which users can infect systems with malware. The IRS security awareness\ntraining should be updated to include a more thorough list of the actions that have led to malware\ninfections on IRS systems. The training presentation lists the opening of virus-infected email\nattachments, installing software downloaded from the network, and linking to web sites\n\n\n8\n  A virus is a self-replicating program that is inserted into computer software or data files. Viruses are often\ntriggered through user interaction, such as opening a file or running a program. A worm is usually a small,\nself-contained and self-replicating computer program that invades computers on a network and usually performs a\ndestructive action. A trojan is a self-contained, non-replicating program that, while appearing to be benign, actually\nhas hidden malicious code. Trojan horses either replace existing files with malicious versions or add new malicious\nfiles. Spyware is software that collects information from computers and transmits it to third parties without the\nknowledge or informed consent of computer users.\n                                                                                                              Page 6\n\x0c                 While Controls Have Been Implemented to Address Malware,\n                Continued Attention Is Needed to Address This Growing Threat\n\n\n\ncontaining malware as common ways in which users can infect systems with malware.\nHowever, the training does not include the use of personal portable devices and removable media\nas common ways in which users can infect systems with malicious code. Of the 661 malware\nincidents reported in 2007, 69 (10 percent) were caused by users inserting removable media such\nas compact discs or connecting external or portable hard drives to their systems.\n\nRecommendations\nThe Chief Information Officer should:\nRecommendation 1: Schedule automatic scans of antivirus software on servers.\n       Management\xe2\x80\x99s Response: IRS management agreed with this recommendation.\n       They will schedule automated antivirus scans on servers and will use the Symantec\xe2\x84\xa2\n       Antivirus console to regularly monitor servers to ensure that antivirus scans are executed\n       weekly as required by the Internal Revenue Manual.\nRecommendation 2: Regularly remind administrators not to use their administrator accounts\nto access the Internet and monitor Internet activity to determine whether administrators are\ncomplying with this control.\n       Management\xe2\x80\x99s Response: IRS management agreed with this recommendation.\n       They will issue regular reminders on Internet access restrictions for administrators by\n       including information in mandatory annual security awareness training and by\n       periodically publishing information in existing communication channels such as\n       organizational webpages and newsletters. Management will also continually monitor the\n       enterprise content filtering solution for Internet access by administrator accounts,\n       regularly report violations to the Cybersecurity Operations organization and IRS Security\n       Offices, conduct followup actions to validate the need for access, and remind\n       administrators that such activity violates IRS policy.\nRecommendation 3: Notify employees and their managers when their activity results in a\nsuccessful malicious code incident, particularly when the activity is a violation of IRS policy.\n       Management\xe2\x80\x99s Response: IRS management agreed with this recommendation. The\n       Cybersecurity Operations organization will implement revised processes to facilitate the\n       continued prevention, detection, and response to cyber incidents, while ensuring that\n       employees and their managers are notified regarding applicable cyber incidents.\nRecommendation 4: Update the IRS security awareness training to include the use of\nportable and removable media among the common ways in which users can introduce malicious\ncode to the network and the potential effects.\n      Management\xe2\x80\x99s Response: IRS management agreed with this recommendation. The\n      IRS will convert to the Information Systems Security Line of Business awareness training\n\n                                                                                             Page 7\n\x0c          While Controls Have Been Implemented to Address Malware,\n         Continued Attention Is Needed to Address This Growing Threat\n\n\n\ncourse (as mandated by the Department of the Treasury) that addresses the use of portable\nand removable media being among the common ways in which users can introduce\nmalicious code to the network and the potential effects. Management will continue to\nreview updates to the training course content to ensure that this topic is included in the\nfinal version.\n\n\n\n\n                                                                                    Page 8\n\x0c                    While Controls Have Been Implemented to Address Malware,\n                   Continued Attention Is Needed to Address This Growing Threat\n\n\n\n                                                                                                   Appendix I\n\n          Detailed Objective, Scope, and Methodology\n\nOur overall objective was to determine whether adequate security controls are present to prevent\nand respond to malware1 attacks. We specifically reviewed the IRS\xe2\x80\x99 responses to incidents\nidentified by the CSIRC for Calendar Year 2007.\nThe electronic data used in this review, with the exception of the CSIRC incident log, were\nsource data extracted directly from IRS systems. The Government Accountability Office\ndocument Assessing the Reliability of Computer-Processed Data (GAO-03-273G, dated\nOctober 2002) provides that information system reviews are an exception that does not require\ndata validation because the information system controls are tested as part of the review.\nTo accomplish our objective, we:\nI.      Determined whether the IRS had adequate procedures in place to respond to and\n        eradicate malware identified on IRS computer systems.\n        A. Identified the requirements for responding to and eradicating malware identified on\n           IRS computer systems from sources such as the Internal Revenue Manual, National\n           Institute of Standards and Technology2 guidance, and the Department of the Treasury\n           recommended Enhanced Cyber Security Controls.\n        B. Assessed the adequacy of controls over malware incident response.\n             1. Obtained a list of all malware incidents identified by the CSIRC for Calendar\n                Year 2007.\n             2. Determined whether the incident report was valid and complete.\n             3. Determined whether IRS responses to incidents identified by the CSIRC followed\n                IRS, Department of the Treasury, and other Federal Government requirements.\n        C. Identified the reasons for inadequacy of responses to malware incidents.\n        D. Assessed the effect of inadequate control weaknesses on responding to malware\n           incidents.\n\n1\n  Malware, also known as malicious code or malicious software, refers to a computer program that is inserted into a\ncomputer system with the intent of compromising the confidentiality, integrity, or availability of an organization\xe2\x80\x99s\ndata, applications, or operating systems.\n2\n  The National Institute of Standards and Technology, a Federal Government agency within the Department of\nCommerce, develops and issues standards, guidelines, and other publications to assist Federal Government agencies\nin protecting their information and information systems.\n                                                                                                            Page 9\n\x0c                    While Controls Have Been Implemented to Address Malware,\n                   Continued Attention Is Needed to Address This Growing Threat\n\n\n\nII.      Determined whether the IRS had adequate controls in place to prevent malware from\n         affecting IRS computers.\n         A. Identified the requirements for preventing malware from being introduced into the\n            network from sources such as the Internal Revenue Manual, National Institute of\n            Standards and Technology guidance, and the Department of the Treasury\n            recommended Enhanced Cyber Security Controls.\n         B. Determined whether required controls to prevent malware had been implemented and\n            were working properly.\n             1. Determined whether administrator accounts3 are prohibited from web browsing\n                and accessing other Internet connections outside of the IRS and the Department of\n                the Treasury protected boundary, unless authorized in writing by the Chief\n                Information Officer or his or her designee.\n             2. Determined whether administrator accounts are prohibited from receiving email\n                from accounts outside of the Department of the Treasury, unless authorized in\n                writing by the Chief Information Officer or his or her designee.\n             3. Determined whether known malicious sites, as identified to the Department of the\n                Treasury from the US-CERT4 or other sources, are blocked (inbound and\n                outbound) at each Internet Access Point (unless explicit instructions are provided\n                to Bureaus not to block specific sites). Blocking is to be accomplished within\n                2 business days following US-CERT or Departmental release of such sites.\n             4. Determined whether the IRS blocked access to online email sites.\n             5. Determined whether intrusion detection systems (or other functionally equivalent\n                technology) are updated with new indicators/signatures5 as they are made\n                available by the US-CERT or the Department of the Treasury.\n\n\n\n\n3\n  An administrator account is a user account present on several popular network operating systems that has the\nhighest level of control over a system and/or network. This account might have the ability to install hardware and\nsoftware on the system; add, modify, or delete user accounts; and modify a system\xe2\x80\x99s security features.\n4\n  The US-CERT is a partnership between the Department of Homeland Security and the public and private sectors.\nEstablished in 2003 to protect the nation\xe2\x80\x99s Internet infrastructure, the US-CERT coordinates defense against and\nresponses to cyber attacks across the nation.\n5\n  A virus signature is the binary pattern of the machine code of a particular virus. Antivirus programs compare their\ndatabases of virus signatures with the files on the hard disk and removable media to identify a virus. The antivirus\nvendor updates the signatures frequently and makes them available to customers via the Internet.\n                                                                                                            Page 10\n\x0c                    While Controls Have Been Implemented to Address Malware,\n                   Continued Attention Is Needed to Address This Growing Threat\n\n\n\n             6. Determined whether antivirus software:\n                  a) Is installed on all IRS workstations and servers.\n                  b) Is updated with new virus signatures in a timely manner.\n                  c) Includes spyware6 checking.\n                  d) Is periodically run on all IRS computers.\n                  e) Is updated and run each time an IRS computer connects to the IRS network.\n                  f) Scans all portable media connected to an IRS computer.\n                  g) Scans all incoming email.\n         C. Identified the reasons for inadequate malware prevention controls.\n         D. Assessed the effect of inadequate malware prevention controls.\n\n\n\n\n6\n Spyware is software that collects information from computers and transmits it to third parties without the\nknowledge or informed consent of computer users.\n                                                                                                              Page 11\n\x0c                While Controls Have Been Implemented to Address Malware,\n               Continued Attention Is Needed to Address This Growing Threat\n\n\n\n                                                                               Appendix II\n\n                 Major Contributors to This Report\n\nMargaret E. Begg, Acting Assistant Inspector General for Audit (Security and Information\nTechnology Services)\nStephen Mullins, Director\nKent Sagara, Acting Director\nMichael Howard, Audit Manager\nCarol Taylor, Audit Manager\nAlan Beber, Senior Auditor\nCharles Ekunwe, Senior Auditor\nMyron Gulley, Senior Auditor\nJoan Raniolo, Senior Auditor\n\n\n\n\n                                                                                       Page 12\n\x0c                While Controls Have Been Implemented to Address Malware,\n               Continued Attention Is Needed to Address This Growing Threat\n\n\n\n                                                                 Appendix III\n\n                         Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nChief Information Officer OS:CIO\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaison: Chief Information Officer OS:CIO\n\n\n\n\n                                                                       Page 13\n\x0c     While Controls Have Been Implemented to Address Malware,\n    Continued Attention Is Needed to Address This Growing Threat\n\n\n\n                                                    Appendix IV\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                           Page 14\n\x0c While Controls Have Been Implemented to Address Malware,\nContinued Attention Is Needed to Address This Growing Threat\n\n\n\n\n                                                       Page 15\n\x0c While Controls Have Been Implemented to Address Malware,\nContinued Attention Is Needed to Address This Growing Threat\n\n\n\n\n                                                       Page 16\n\x0c'